CSI Says Security Research Being Hampered

The Computer Security Institute (CSI) has released the results of its research into Web security researchers, and what CSI found isn't pretty.

According to the report that was released at CSI's annual NetSec conference, security research by experts is being hampered by the fear of prosecution.

In the report, which was authored by a working group of Web researchers, computer crime law experts, and U.S. Department of Justice personnel, researchers said that even if they stumble across a web-site bug accidentally, they worry about disclosing it to the site's owner for fear of prosecution.

"Security researchers are able to identify and publicly disclose software vulnerabilities or further write proof-of-concept exploit code without fear of criminal prosecution," said Jeremiah Grossman, CTO of WhiteHat Security and a contributor to the group. "But Web security researchers' aren't so lucky: under some laws, a researcher could find himself prosecuted for simply looking for Web site vulnerability, much less disclosing it publicly." He added that this "means only people that are on the side of the consumer are being silenced for fear of prosecution.".

Grossman went on to say that "this report serves as a meeting of the minds, bringing together ideas and concerns from the developers, security researcher and law enforcement communities making it a unique touch point for everyone caught in the frenzy of Web 2.0," added Grossman.

Specifically, the report said that:

• A matrix of Web security research methods (on a scale of least-invasive to most-invasive), assessments of how the law may interpret these actions and gauges of the likelihood a Web researcher will be criminally prosecuted for such actions.

• Discussion of how the law may be changed, including how liability is assigned, how "damage" is quantified and how disclosure and criminal intent factor into sentencing.

• Endeavors the industry may create to improve Web security within the current letter of the law, such as: better secure Web development standards, better Web site security certifications, anonymous vulnerability disclosure tip lines and a service that invites registered researchers to hack "dummy" Web pages, which are modeled off typical Web sites but contain fake data.
  

According to Sara Peters, CSI editor and author of the report, "[Web] researchers are terrified about what they can and can't do, and whether they'll face jail or fines," says. "Having the perspective of legal people and law enforcement has been incredibly valuable. [And] this is more complicated than we thought."

CSI is part of CMP Media, as is Dr. Dobb's Journal.

Posted by Jon Erickson at 12:30 PM  Permalink